0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Zepl Notebook Sandbox Escape Vulnerability
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
Exploit Title: Zepl Notebook - Sandbox Escape Vendor Homepage: https://zepl.com/ Software Link: https://app.zepl.com/ Version: Affects all versions of the product up to the date of this submission Tested on: The issue affects all versions of the product up to the date of this submission Exploit Authors: Josh Sheppard & Pathfynder Inc Exploit Contact: ghost a t undervurse dot_com & josh a t pathfynder dot_io Exploit Technique: Remote CVE ID: CVE-2021-42952 1. Description A container escape vulnerability has been discovered in Zepl's Notebooks product. Upon launching Remote Code Execution from the Notebook (CVE-2021-42950), users can then use that to subsequently escape the running context sandbox and proceed to access internal Zepl assets including cloud metadata services resulting in complete compromise of cloud assets. This vulnerability effects all previous versions of their Notebook product suite. 2. Disclosure Timeline 9/28/21 - Discovery and Exploitation 9/28/21 - Vendor Notified 10/31/21 - Patch Applied 2/16/22 - CVE Assigned 2/17/22 - Public Disclosure 3. Mitigation Hotfix applied to vendors SAAS solution, no action is necessary at this time # 0day.today [2024-10-05] #